← Back to home · See sub-processor register · Privacy policy

Data Processing Agreement (Template)

Version 1.0 — 17 June 2026

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement between TravelCS ("Processor") and the operator identified in the order form ("Controller") and governs the processing of personal data by TravelCS on the Controller's behalf in connection with the TravelCS platform (the "Services").

It implements Article 28 GDPR and, where personal data is transferred outside the EEA, incorporates the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 (the "EU SCCs"), Module 2 (controller-to-processor) and Module 3 (processor-to-processor) as applicable.

1. Definitions

Terms in capitals have the meaning given in the GDPR. "Personal data", "processing", "controller", "processor", "sub-processor", "data subject" and "supervisory authority" each have the meaning given in Article 4 GDPR.

2. Subject matter and duration

TravelCS processes personal data only to provide the Services to the Controller for the duration of the Master Services Agreement and for any post-termination period necessary to return or delete the data in accordance with Section 11.

3. Nature and purpose of processing

• Hosting and storage of operator + customer records (booking_leads, leads, messages).
• AI-assisted classification, drafting and routing of inbound customer messages.
• Authentication, access control and audit logging.
• Sending operational notifications and DSAR verification emails on the Controller's behalf.

4. Categories of data subjects

• The Controller's end customers (travellers).
• The Controller's own employees who use the platform.

5. Categories of personal data

• Identifying / contact data (name, email, phone).
• Booking and itinerary data.
• Message content exchanged between the Controller and its customers.
• Technical data (IP address, user-agent, log timestamps) — Recital 30.

Special categories of personal data (Art. 9) are not required for the Services and should not be submitted by the Controller. Children's data (Art. 8) may only be submitted with the Controller's lawful basis.

6. Processor obligations (Art. 28(3))

1. Documented instructions. TravelCS processes personal data only on the Controller's documented instructions, including transfers, except where required by EU or Member State law (in which case TravelCS will inform the Controller before processing, unless the law prohibits it).
2. Confidentiality. All persons authorised to process the data are bound by a written confidentiality obligation or statutory duty of confidentiality.
3. Security (Art. 32). TravelCS implements the technical and organisational measures set out in Annex II, including row-level security, encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege admin access, audit logging and an automated security-by-default policy on every new database table.
4. Sub-processors. The Controller authorises TravelCS to engage the sub-processors listed at /sub-processors. TravelCS will give at least 14 days' prior notice of any change; the Controller may object in writing during that period.
5. Data subject rights. TravelCS assists the Controller in fulfilling DSARs via the workflow at /dsar and via in-platform exports.
6. Art. 32-36 assistance. TravelCS assists the Controller with security, breach notification, DPIAs and prior consultation, taking the nature of processing and the information available to it into account.
7. Breach notification (Art. 33(2)). TravelCS notifies the Controller without undue delay — and in any event within 48 hours — after becoming aware of a personal data breach, using the runbook at /breach-response-plan.
8. Return / deletion. On termination, TravelCS will, at the Controller's choice, delete or return all personal data within 30 days, unless EU or Member State law requires retention.
9. Audit. TravelCS makes available all information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to confidentiality and operational security.

7. International transfers (Chapter V)

Customer data is hosted in the EEA by default. Where personal data is transferred to a sub-processor outside the EEA, the parties incorporate the EU SCCs (2021/914), Module 2 for controller-to-processor transfers and Module 3 for processor-to-sub-processor transfers, by this reference. The optional Clause 7 (docking clause) and Clause 11(a) option are NOT selected. Clause 17 governing law: Ireland. Clause 18 forum: Irish courts.

Annex I.A (parties), Annex I.B (description of transfer), Annex I.C (competent supervisory authority — the Controller's lead supervisory authority) and Annex II (technical and organisational measures) are populated automatically from the order form and the Annex II template below.

8. Annex II — Technical and organisational measures (summary)

• Access control: SSO + MFA for admin; per-operator row-level security on every tenant table; security-definer authorisation functions; quarterly access review.
• Encryption: TLS 1.2+ in transit; AES-256 at rest; OAuth tokens stored server-side and never returned to the browser.
• Logging & monitoring: Append-only audit log for DSARs, breach incidents and admin actions; automated RLS coverage probe and "security-by-default" event trigger on every new table.
• Resilience: Daily managed backups with point-in-time recovery; tested restore procedure.
• Vendor management: All sub-processors are bound by their own DPAs and SCCs where applicable.

9. Signing this DPA

An operator can request a counter-signed copy of this DPA at any time by emailing dpo@travelcs.ai with the operator name, billing entity and the Controller's lead supervisory authority. TravelCS will return a signed PDF within 5 business days.

10. Order of precedence

In case of conflict between this DPA and the Master Services Agreement, this DPA prevails on matters relating to the processing of personal data. In case of conflict between this DPA and the EU SCCs (where applicable), the EU SCCs prevail.

11. Termination & data return

On termination, the Controller may export its data via the in-platform export tools at any time during the 30-day post-termination window. After that window, TravelCS will delete the data and instruct sub-processors to do the same, save for backups which expire on their rolling schedule.

12. Contact

Data Protection Officer: dpo@travelcs.ai. Postal address: TravelCS, c/o the entity named in the order form.